The hypothesis is that an adversary may be using a suspicious author identifier to evade detection or obfuscate their presence within the environment. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and uncover hidden malicious activity.
YARA Rule
rule suspicious_author : PDF raw
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 4
strings:
$magic = { 25 50 44 46 }
$header = /%PDF-1\.(3|4|6)/
$author0 = "Ubzg1QUbzuzgUbRjvcUb14RjUb1"
$author1 = "ser pes"
$author2 = "Miekiemoes"
$author3 = "Nsarkolke"
condition:
$magic in (0..1024) and $header and 1 of ($author*)
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to generate a report on system users for compliance purposes.
Filter/Exclusion: Exclude processes initiated by the Local System account or those with a cmdline containing "report", "audit", or "compliance".
Scenario: A scheduled task runs Sysmon (Microsoft Sysmon) to collect logs and analyze system activity.
Filter/Exclusion: Exclude processes with ProcessName equal to "sysmon.exe" or ImageLoaded paths containing "Sysmon".
Scenario: An IT support tool like Microsoft Endpoint Manager (MEM) is used to deploy patches or configuration updates.
Filter/Exclusion: Exclude processes with ProcessName equal to "setup.exe" or cmdline containing "update", "patch", or "deployment".
Scenario: A backup job using Veeam Backup & Replication is running to archive user data.
Filter/Exclusion: Exclude processes with ProcessName equal to "veeam.exe" or cmdline containing "backup", "archive", or "snapshot".
Scenario: A system update via Windows Update is being installed, which may involve temporary files or scripts.
Filter/Exclusion: Exclude processes with ProcessName equal to "wuauclt.exe" or cmdline containing "update", "install", or "WindowsUpdate".